Network Technology Review and Security Concerns
Transcript of Network Technology Review and Security Concerns
Outline
Overview Issues and Threats in NetworkSecurity
Review basic network technology− TCP/IP in particular− Attacks specific to particular technologies
2
Increased Security Complexity
Different operating systems− Computers, Servers, Network Devices
Multiple Administrative Domains Need to open access
− Lack of complete mediation
Multiple Paths and shared resources Anonymity
3
Classic Threats
Wiretapping− Unauthorized entities see your communications− Traffic Flow Analysis
Tampering/Man-in-the-middle− Communication changed in transit
Spoofing or Masquerading− Communication with an entity posing as someone
else
Denial of Service4
Internet History Designed as a research network
− Assumed that entities are basically trusted Fast forward to now
− Hackers− Viruses / worms− Botnets− Organized crime− …
People have been scrambling to fix securityproblems, at all layers of protocol
5
OSI Reference Model
• The layers– 7: Application, e.g., HTTP, SMTP, FTP– 6: Presentation– 5: Session– 4: Transport, e.g. TCP, UDP– 3: Network, e.g. IP, IPX– 2: Data link, e.g., Ethernet frames, ATM cells– 1: Physical, e.g., Ethernet media, ATM media
• Standard software engineering reasons for thinkingabout a layered design
6
Message mapping to the layers
SVN update message
Segment 2DP
SP
DP
SP Segment 1D
PSP
DP
SP
DA
SA Packet 1 D
PSP
DA
SA
Pack2
Communications bit stream
DP
SP
DA
SA Packet1D
MSM
DP
SP
DA
SA
Pack2
DM
SM
L7 App
L4 TCP
L3 IP
L2 Eth
7
Confidentiality on Physical Layer
Radio waves− Just listen
Microwave− Point-to-point sort of− Dispersal
Ethernet− Inductance of cables− Tapping into Ethernet cables
8
Switches
• Original Ethernet broadcast all packets• Layer two means of passing packets
– Learn or config which MAC's live behind which ports– Only pass traffic to the appropriate port
– But…• Span ports mirror all traffic– Learning methods are insecure
9
Denial of Service
Physical− Jam radio− Cut cables
Data-link− Jam / overload channel− Exploit MAC vulnerabilities
10
Network Layer - IP
Moves packets between computers− Possibly on different physical segments− Best effort
Technologies− Routing− Lower level address discovery (ARP)− Error Messages (ICMP)
11
IP header fields Version - “4” standard, “6” coming very soon Header length - number of 32-bit words in hdr
− Minimum 5, maximum 15 Differentiated Services - codes for how to handle, likely
to be used extensively for streaming, e.g., VOIP Total length of packet, in bytes Identification - used in sequencing fragments,
underused, proposals for other functions, I.e.,traceback
Flags (3 of them), 0, “don’t fragment”, “more fragments” Fragment offset (in units of 8 bytes, from beginning) TTL - maximum remaining allowed hops
IP header fields Protocol - code for protocol at transport layer, e.g.,
ICMP (1), IGMP(2), TCP(6), UDP(17), OSPF (89),SCTP(132) (table of allocated codes is large)
Header checksum- 1’s compliment of sum of 1’scompliment words in header− Changes every time TTL changes!
Source address - (IP address, 32 bits for v4) Destination address (IP address, 32 bits for v4) Options - not often used
IPv4 Addressing
• Each entity has at least one address• Addresses divided into subnetwork
– Address and mask combination– 192.168.1.0/24 or 10.0.0.0/8– 192.168.1.0 255.255.255.0 or 10.0.0.0 255.0.0.0– 192.168.1.0-192.168.1.255 or 10.0.0.0-10.255.255.255
• Addresses in your network are “directly” connected– Broadcasts should reach them– No need to route packets to them
15
Address spoofing
• Sender can put any source address in packetshe sends:– Can be used to send unwelcome return traffic to the
spoofed address– Can be used to bypass filters to get unwelcome
traffic to the destination
• Reverse Path verification can be used byrouters to broadly catch some spoofers
16
Address Resolution Protocol (ARP)
• Used to discover mapping of neighboringethernet MAC to IP addresses.– Need to find MAC for 192.168.1.3 which is in your
interface's subnetwork– Broadcast an ARP request on the link– Hopefully receive an ARP reply giving the correct
MAC– The device stores this information in an ARP cache
or ARP table
17
ARP cache poisoning
• Bootstrap problem with respect to security. Anyone can send anARP reply– The Ingredients to ARP Poison,
http://www.airscanner.com/pubs/arppoison.pdf• Classic Man-in-the-middle attack
– Send ARP reply messages to device so they think your machine issomeone else
– Can both sniff and hijack traffic• Solutions
– Encrypt all traffic– Monitoring programs like arpwatch to detect mapping changes
• Which might be valid due to DHCP
18
IPv4 Routing How do packets on the Internet find their
destination?− Forwarding: each router decides where the packet
should go next− Routing: setting up forwarding rules in each router
Forwarding is “emergent” behavior− Each router autonomously decides where a packet
should go− Routing tries to ensure that all these decisions in
concert work well
19
Forwarding Tables
130.126.136.0/21 if1130.126.160.0/21 if2130.126.0.0/16 if30.0.0.0/0 if4
Most specific rule is used Most hosts outside of the core have default
rules
CRHC
EWSif2
if4
Internet
UIUC
20
Routing How are forwarding tables set up? Manual static routes
− Works well for small networks with default routes Automatic dynamic routes
− OSPF / RIP for internal routes− BGP for external routes
21
BGP Internet split up into Autonomous Systems
(ASes) Each AS advertises networks it can reach
− Aggregates networks from its neighbor ASes inadvertisements
− Uses local policies to decide what to re-advertise When setting up routes:
− Pick the most specific advertisement− Use the shortest AS path− Adjust with local policy
22
Prefix Hijacking Some ASes may advertise the wrong prefix Case study: Pakistan Telecom
− Wanted to block YouTube− Routes 208.65.153.0/24 to bit bucket− Advertises route to rest of the world!
Problem:− People close to Pakistan use the bad route− People far away from Pakistan use bad route, too
YouTube uses less specific advertisement,208.65.152.0/22
23
BGP DoS BGP uses TCP connection to communicate
routes and test reachability Attacks on TCP connections are possible
− Send reset− Low-resource jamming
Result: cut arbitrary links on the Internet− Easier than cutting cables!
24
Source Based Routing
• In the IP Options field, can specify a sourceroute– Was conceived of as a way to ensure some traffic
could be delivered even if the routing table wascompletely screwed up.
• Can be used by the bad guy to avoid securityenforcing devices– Most folks configure routers to drop packets with
source routes set
25
IP Options in General
• Originally envisioned as a means to add morefeatures to IP later
• Most routers drop packets with IP options set– Stance of not passing traffic you don’t understand– Therefore, IP Option mechanisms never really took
off• In addition to source routing, there are security
Options– Used for DNSIX, a MLS network encryption scheme
26
Internet Control Message Protocol(ICMP)
• Used for diagnostics– Destination unreachable– Time exceeded, TTL hit 0– Parameter problem, bad header field– Source quench, throttling mechanism rarely used– Redirect, feedback on potential bad route– Echo Request and Echo reply, ping– Timestamp request and Timestamp reply, performance ping– Packet too big
• Can use information to help map out a network– Some people block ICMP from outside domain
27
Smurf Attack
• An amplification DoS attack– A relatively small amount of information sent is expanded to a
large amount of data
• Send ICMP echo request to IP broadcast addresses.Spoof the victim's address as the source
• The echo request receivers dutifully send echo repliesto the victim overwhelming it
• Fraggle is a UDP variant of the same attack
28
“Smurf”
Internet
Perpetrator Victim
ICMP echo (spoofed source address of victim)Sent to IP broadcast address
ICMP echo reply
29
Transport Level – TCP and UDP
• Service to service communication.– Multiple conversations possible between same pair of
computers• Transport flows are defined by source and destination ports• Applications are associated with ports (generally just destination
ports)– IANA organizes port assignments http://www.iana.org/
• Source ports often dynamically selected– Ports under 1024 are considered well-known ports– Would not expect source ports to come from the well-known
range
30
Reconnaissance
Port scanning− Send probes to all ports on the target− See which ones respond
Application fingerprinting− Analyze the data returned− Determine type of application, version, basic
configuration− Traffic answering from port 8080 is HTTP, Apache
or Subversion
31
Reliable Streams
• Transmission Control Protocol (TCP)– Guarantees reliable, ordered stream of traffic– Such guarantees impose overhead– A fair amount of state is required on both ends
• Most Internet protocols use TCP, e.g., HTTP,FTP, SSH, H.323 control channels
32
TCP Header
Source Port Destination Port
Sequence Number
Acknowledgement number
HDRLen
URG
ACK
PSH
RST
SYN
FIN
WindowSize
Checksum Urgent Pointer
Options (0 or more words)
33
Syn flood
• A resource DoS attack focused on the TCP three-wayhandshake
• Say A wants to set up a TCP connection to B1. A sends SYN with its sequence number X2. B replies with its own SYN and sequence number Y and an ACK
of A’s sequence number X3. A sends data with its sequence number X and ACK’s B’s
sequence number Y– Send many of the first message to B. Never respond to the
second message.– This leaves B with a bunch of half open (or embryonic)
connections that are filling up memory– Firewalls adapted by setting limits on the number of such half
open connections.
35
SYN Flood
Machine A Machine B
SYN:seqno=100
SYN:seqno=511ACK = 100
SYN: seqno=89
SYN:seqno=176
SYN:seqno=344
36
SYN Cookies Server chooses a sequence number “carefully”
− Contains an encrypted bit that encodes server andclient identity
− Called a SYN Cookie Server does not have to store SYN request in
table, it can reconstruct from sequence numberpassed back by legitimate client
Uses some bits defined for TCP, but not oftenused
37
SYN Cookie Construction T = time-stamp, 64 bit resolution (by shifting) M = maximum TCP segment size (MSS) the server
would have stored S = 24 bits resulting from cryptographic operation on
(server IP, server port,client IP, client port, t) The initial sequence number returned by server is
0
T mod 32Code forMS
3158
On receiving a response the server− Checks T bits to determine whether time-out has fired− Checks S to reconstruct addresses− Constructs entry for now established connection
Session Hijacking
Take over a session after the 3 way handshakeis performed− After initial authentication too
Local− Can see all traffic.− Simply inject traffic at a near future sequence
number Blind
− Cannot see traffic− Must guess the sequence number
39
Domain Name System (DNS)
• Hierarchical service to resolve domain names to IP addresses.– The name space is divided into non-overlapping zones– E.g., consider shinrich.cs.uiuc.edu.– DNS servers in the chain. One for .edu, one for .uiuc.edu,
and one for .cs.uiuc.edu• Can have primary and secondary DNS servers per zone. Use
TCP based zone transfer to keep up to date• Like DHCP, no security designed in
– But at least the DNS server is not automatically discovered– Although this information can be dynamically set via DHCP
41
DNS Problems
• DNS Open relays– Makes it look like good DNS server is authoritative
server to bogus name– Enables amplification DoS attack– http://www.us-cert.gov/reading_room/DNS-
recursion121605.pdf
• DNS Cache Poisoning– Change the name to address mapping to something
more desirable to the attacker– http://www.lurhq.com/dnscache.pdf
42
DNS Communication
Use UDP Requests and responses have matching 16 bit
transaction Ids Servers can be configured as
− Authoritative Nameserver Officially responsible for answering requests for a domain
− Recursive Pass on requests to other authoritative servers
− Both (this can be the problem)
44
DNS Cache Poisoning
Older implementations would just acceptadditional information in a reply− e.g. A false authoritative name server
Now to spoof a reply must anticipate the correcttransaction ID− Only 16 bits− Random selection of ID isn't always the greatest
45
DNSSEC
• Seeks to solve the trust issues of DNS• Uses a key hierarchy for verification• Has been under development for a decade and
still not really deployed• Provides authentication, not confidentiality• DNS Threat Analysis in RFC 3833.
47